Attacks Detected on the Network
3. Repeat Attack-Firewall
Goal: Early warning for scans, worm propagation, etc
Trigger: Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute.
Event Sources: Firewalls, Routers and Switches

4. Repeat Attack-Network Intrusion Prevention System
Goal: Early warning for scans, worm propagation, etc
Trigger: Alert on 7 or more IDS Alerts from a single IP Address in one minute.
Event Sources: Network Intrusion Detection and Prevention Devices

Attacks and Infections Detected at the Host Level
5. Repeat Attack-Host Intrusion Prevention System
Goal: Find hosts that may be infected or compromised (exhibiting infection behaviors).
Trigger: Alert on 3 or more events from a single IP Address in 10 minutes
Event Sources: Host Intrusion Prevention System Alerts

Virus Detection/Removal
6. Virus or Spyware Detected
Goal: Alert when a virus, spyware or other malware is detected on a host.
Trigger: Alert when a single host sees an identifiable piece of malware
Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

7. Virus or Spyware Removed
Goal: Reduce alerts and warnings, if after detection, anti-virus tools are able to remove a known piece of malware.
Trigger: Alert when a single host successfully removes a piece of malware
Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

8. Virus or Spyware Detected but Failed to Clean
Goal: Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed.
Trigger: Alert when a single host fails to auto-clean malware within 1 hour of detection.
Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

Attacks from Unknown/Untrusted Sources
The use of periodic automatically updated lists of known attackers and malware sources applied to these correlations is highly preferred.
9. Repeat Attack-Foreign
Goal: Identify remote attackers before they make it into the network. Identify "back scatter" pointing to attacks that may have not been detected by other sources.
Secondary Goal: This rule also identifies new networks with active hosts that have been added to the internal network, but not reported or configured within the SIEM and/or other security tools.
Trigger: Alert on 10 or more failed events from a single IP Address that is not part of the known internal network.
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

10. Known Attacker Allowed in Network
Goal: Identify allowed traffic form known "Black listed" sources. If the source is known to be a source of malware or an attack, identify and alert if that source is every allowed into the network,
while conversely filtering out/ignoring "drop/reject/deny" events from these sources when our defenses properly block the traffic.
Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), events from an IP Address that is not part of the known network and is known to have/use malware.
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

11. Traffic to Known Attacker
Goal: Identify traffic from an internal address to known "black listed" destination is known to be a source of malware or an attack, identify and alert if traffic is ever allowed to that destination, or if repeat attempts (>5) are detected even when the traffic is blocked. This may indicate an infected host trying to call home.
Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), event to an IP Address that is not part of the known network and is known to have/use malware.
Alternate Trigger: Alert on 5 or more drops from an internal source to any known attacker, or 1 Accept/Allow.
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events.

High Threat
12. High Threat Targeting Vulnerable Asset
Goal: Identify threats in real time that are likely to compromise a host. Vulnerability data has shown the host to be vulnerable to the inbound attack being detected by NIPS.
Trigger: Any event from a single IP Address targeting a host known to be vulnerable to the attack that`s inbound.
Event Sources: NIPS events, Vulnerability Assessment data

13. Repeat Attack-Multiple Detection Sources
Goal: Find hosts that may be infected or compromised detected by multiple sources (high probability of true threat).
Trigger: Alert on ANY second threat type detected from a single IP Address by a second source after seeing a repeat attack. (i.e. Repeat Firewall Drop, followed by Virus Detected)
Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events.

14. Possible Outbreak - Excessive Connections
Goal: Find hosts that may be infected or compromised by watching for a host to connect to a large number of destinations.
Trigger: Alert when a single host connects to 100 or more unique targets in 1 minute (must apply white lists for known servers to avoid false positives, and destination port !=80).
Event Sources: Firewall, NIPS, Flow Data, and Web Content Filters.

15. Possible Outbreak - Multiple Infected Hosts Detected on the Same Subnet
Goal: Alert on the detection of malware before it spreads beyond a limited number of hosts.
Trigger: Alert when 5 or more hosts on the same subnet trigger the same Malware Signature (AV or IDS) within a 1 hour interval.
Event Sources: Anti-Virus, HIPS, NIPS.

Monitored Log Sources
17. Monitored Log Source Stopped Sending Events
Goal: Alert when a monitored log source has not sent an event in 1 Hour (variable time based on the device).
Trigger: Log collection device must create an event periodically to show how many events have been received, and that this number is >0.
Event Sources: Log collection device.